Fifth Third Bancorp (FITB) Risk Analysis

Fifth Third's ability to deliver strong financial performance and returns on investment to shareholders will depend in part on its ability to expand the scope of available financial services to meet the needs and demands of its customers. In addition to the challenge of competing against other banks in attracting and retaining customers for traditional banking services, Fifth Third's competitors also include securities dealers, brokers, mortgage bankers, investment advisors and specialty finance, telecommunications, technology and insurance companies as well as large retailers who seek to offer one-stop financial services in addition to other products and services desired by consumers that may include services that banks have not been able or allowed to offer to their customers in the past or may not be currently able or allowed to offer. Many of these other firms may be significantly larger than Fifth Third and may have access to customers and financial resources that are beyond Fifth Third's capability. Fifth Third competes with these firms with respect to capital, access to capital, revenue generation, products, services, transaction execution, innovation, reputation, talent and price. This increasingly competitive environment is primarily a result of changes in customer preferences, regulation, changes in technology and product delivery systems, as well as the accelerating pace of consolidation among financial service providers. Rapidly changing technology and consumer preferences may require Fifth Third to effectively implement new technology-driven products and services in order to compete and meet customer demands. Fifth Third may not be able to do so or be successful in marketing these products and services to its customers. As a result, Fifth Third's ability to effectively compete to retain or acquire new business may be impaired, and its business, financial condition or results of operations, may be adversely affected. Fifth Third may make strategic investments and may expand an existing line of business or enter into new lines of business to remain competitive. If Fifth Third's chosen strategies are not appropriate to allow Fifth Third to effectively compete or Fifth Third does not execute them in an appropriate or timely manner, Fifth Third's business and results may suffer. Additionally, these strategies, products and lines of business may bring with them unforeseeable or unforeseen risks and may not generate the expected results or returns, which could adversely affect Fifth Third's results of operations or future growth prospects and cause Fifth Third to fail to meet its stated goals and expectations.

With the launch of real-time payments networks, such as RTP from The Clearing House and FedNow from the Federal Reserve, instantaneous cash settlement capabilities are available 24 hours a day and 7 days a week. The implications of the new settlement capabilities are far reaching and have not yet significantly affected the banking industry. As market adoption increases, Fifth Third may be required to hold more liquidity reserves in cash to facilitate cash settlement activity outside of traditional business hours. Additionally, instantaneous settlement will likely reduce float benefits associated with providing deposit and banking services, as well as pose incremental fraud risk due to a reduced ability to reverse fraudulent transactions due to the speed of money movement.

Fifth Third's actual or alleged conduct in activities, such as certain sales and lending practices, data security, operational resiliency, corporate governance and acquisitions, inappropriate behavior or misconduct of employees, failure to deliver minimum or required standards of service or quality, association with particular customers, business partners, investments or vendors, as well as developments from any of the other risks described above, may result in negative public opinion at large (or with certain segments of the public) and may damage Fifth Third's reputation. Because Fifth Third conducts most of its businesses under the "Fifth Third" brand, negative public opinion about one business could affect its other businesses. Actions taken by government regulators, shareholder activists and community organizations may also damage Fifth Third's reputation. Additionally, whereas negative public opinion once was primarily driven by adverse news coverage in traditional media, the advent and expansion of social media facilitates the rapid dissemination of information or misinformation. Though Fifth Third monitors social media channels, the potential remains for rapid and widespread dissemination of inaccurate, misleading or false information or other negative information that could damage Fifth Third's reputation. Negative public perception can adversely affect Fifth Third's ability to attract and keep customers and can increase the risk that it will be a target of litigation and regulatory action or experience an accelerated deposits withdrawal event.

Fifth Third develops for itself, and licenses from others, intellectual property for use in conducting its business. This intellectual property has been, and may be, subject to misappropriation or infringement by third parties as well as claims that Fifth Third's use of certain technology or other intellectual property infringes on rights owned by others. Fifth Third has been, and may be, subject to disputes and/or litigation concerning these claims and could be held responsible for significant damages covering past activities and substantial fees to continue to engage in these activities in the future. Fifth Third may also be unable to acquire rights to use certain intellectual property that is important for its business and may be unable to effectively engage in critical business activities. If Fifth Third is unable to protect or acquire rights to use intellectual property it owns or licenses, it may lose certain competitive advantages, incur expenses and/or lose revenue and may suffer harm to its business results and financial condition.

In today's digital world, more and more of Fifth Third's business is conducted primarily via digital and mobile technology and information management systems. This includes the use of cloud computing, digital applications and third-party providers that host and store sensitive employee and customer information. Failures, interruptions of service or breaches in the security of these environments occur across the financial services industry with some frequency, including at Fifth Third and its third-party providers. If an event of this nature occurred at Fifth Third or one of its third-party providers and such event proved to be material, this could result in disruptions to Fifth Third's accounting, deposit, lending and other systems, and adversely affect its customer relationships. While Fifth Third heavily invests in information security, technical resiliency, business continuity and disaster recovery planning, and has policies and procedures designed to detect, limit, and prevent the impact of these possible events, there can be no assurance that any such failure, interruption or security breach will not occur or, if any does occur, that it can be remediated in such a way to eliminate the risk. There will always be efforts on the part of threat actors to breach information security at financial institutions or with respect to financial transactions. There have been several recent instances involving financial services, credit bureaus and consumer-based companies reporting the unauthorized disclosure of client or customer information or the destruction or theft of corporate data, by both private individuals and foreign governments. In addition, because the techniques used to cause such security breaches change frequently, often are not recognized until launched against a target and may originate from remote and less regulated areas around the world, Fifth Third may be unable to proactively address these techniques or to implement adequate preventative measures. Threat actors, including nation state attackers, could also use artificial intelligence for malicious purposes, increasing the frequency, complexity and effectiveness of their attacks. Despite Fifth Third's efforts to prevent a cyber-attack and monitoring of data flow inside and outside Fifth Third, due to the increasing sophistication of techniques used by attackers to conceal access to systems, a successful cyber-attack could persist for an extended period of time before being detected, and, following detection, it could take considerable time for Fifth Third to obtain full and reliable information about the cybersecurity incident and the extent, amount and type of information compromised. During the course of an investigation, Fifth Third may not necessarily know the full effects of the incident or how to remediate it, and actions and decisions that are taken or made in an effort to mitigate risk may further increase the costs and other negative consequences of the incident. Furthermore, financial services companies are regularly the target of cyber-attacks such as distributed denial of service, social engineering and ransomware attacks. The unintentional or willful acts or omissions of employees also remains the primary avenue through which threat actors attempt to gain access to company networks, information systems, data and credentials. An additional risk is the use of third- and fourth-party providers to host critical data and platforms for Fifth Third, or in some cases provide services to Fifth Third domestically and internationally. Fifth Third has a third-party risk program to oversee third- and fourth-party providers. This does not eliminate all risk and its failure to do so could result in customer losses, operational issues, litigation, regulatory actions and reputational damage. Industry trends demonstrate a shift towards the use of cloud providers, Software as a Service partners and hosted platforms rather than traditional software services that can be operated from within a company's firewall and data centers, and the implementation and development of new and emerging technologies such as artificial intelligence. These additional risks are further heightened through the increasing use of near real-time money movement solutions such as Zelle, and increase the difficulty to detect, prevent and recover fraudulent transactions. These additional risks are increasing the costs of Fifth Third's investment in technology and cybersecurity and require further investment in cyber-related and data loss event insurance which Fifth Third has in place. Though Fifth Third has insurance against some cybersecurity risks and attacks, it may not be sufficient to offset the impact of a material loss event. Future investment in these areas could have higher than expected costs and/or result in operating inefficiencies, which could increase the costs associated with the implementation as well as ongoing operations. If personal, confidential or proprietary information of customers or clients in the Bancorp's or such vendors' or other third-parties' possession were to be mishandled or misused, the Bancorp could suffer significant regulatory consequences, reputational damage and financial loss.

Fifth Third's success depends, in large part, on its ability to attract and retain key individuals. Competition for qualified candidates in the activities and markets that Fifth Third serves is intense, which may increase Fifth Third's expenses and may result in Fifth Third not being able to hire candidates or retain them. If Fifth Third is not able to hire qualified candidates or retain its key personnel, Fifth Third may be unable to execute its business strategies and may suffer adverse consequences to its business, operations and financial condition. Compensation paid by financial institutions such as Fifth Third is heavily regulated, particularly under Dodd-Frank, which affects the amount and form of compensation Fifth Third pays to hire and retain talented employees. If Fifth Third is unable to attract and retain qualified employees, or do so at rates necessary to maintain its competitive position, or if compensation costs required to attract and retain employees become more expensive, Fifth Third's performance, including its competitive position, could be materially adversely affected.

Fifth Third's operations, including its financial and accounting systems, use computer systems and telecommunications networks operated by both Fifth Third and third-party service providers. Fifth Third may not be sufficiently resilient and may not recover from significant operational events in a timely manner which could create operational and reputational risks. Additionally, Fifth Third collects, processes and stores sensitive consumer data by utilizing those and other systems and networks. Fifth Third has security, backup and recovery systems in place, as well as a business continuity plan to ensure the systems will not be inoperable. Fifth Third also has security to prevent unauthorized access to the systems. In addition, Fifth Third requires its third-party service providers to maintain similar controls. However, Fifth Third cannot be certain that the measures will be successful, particularly given the rapidly evolving sophistication of threat actors and technologies. A security breach in these systems or the loss or corruption of confidential information such as business results, transaction records and related information could adversely impact Fifth Third's ability to provide timely and accurate financial information in compliance with legal and regulatory requirements, which could result in sanctions from regulatory authorities, significant reputational harm and the loss of customer confidence in Fifth Third. Additionally, security breaches or the loss, theft or corruption of customer information such as social security numbers, credit card numbers, account balances or other information could result in losses by Fifth Third's customers, litigation, regulatory sanctions, lost customers and revenue, increased costs and significant reputational harm. Fifth Third's necessary dependence upon automated systems to record and process its transaction volume poses the risk that technical system flaws or employee errors, tampering or manipulation of those systems could result in losses and may be difficult to detect. Fifth Third may also be subject to disruptions of its operating systems arising from events that are beyond its control (for example, cyber-attacks, equipment failure, or electrical or telecommunications outages). Third-party service providers with which the Bancorp does business both domestically and offshore, as well as vendors and other third parties with which the Bancorp's customers do business, can also be sources of operational risk to the Bancorp, particularly where processes are highly concentrated or in widespread use on critical Bancorp systems, or activities of customers are beyond the Bancorp's security and control systems, such as through the use of the internet, personal computers, tablets, smart phones and other mobile services. Security breaches or system failures affecting the Bancorp or its third-party providers can increase operational costs and reduce customer satisfaction, as the Bancorp takes steps to protect its systems and safeguard confidential information. If personal, confidential or proprietary information of customers or clients in the Bancorp's or such vendors' or other third parties' possession were to be mishandled or misused, the Bancorp could suffer significant regulatory consequences, reputational damage and financial loss. Such mishandling or misuse could include circumstances where, for example, such information was erroneously provided to parties who are not permitted to have the information, either through the fault of the Bancorp's systems, employees or counterparties, or where such information was intercepted or otherwise compromised by threat actors. The Bancorp may be subject to disruptions of its operating systems arising from events that are wholly or partially beyond the Bancorp's control, which may include, for example, security breaches; electrical or telecommunications outages; failures of computer components or servers or other damage to the Bancorp's property or assets; natural disasters or severe weather conditions; health emergencies; or events arising from local or larger-scale political events, including outbreaks of hostilities or terrorist acts. While the Bancorp believes that its current business continuity plans are both sufficient and adequate, there can be no assurance that such plans will fully mitigate all potential business continuity risks to the Bancorp or its customers and clients. Any failures or disruptions of the Bancorp's systems or operations could give rise to losses in service to customers and clients, adversely affect the Bancorp's business and results of operations by subjecting the Bancorp to losses or liability, or require the Bancorp to expend significant resources to correct the failure or disruption, as well as by exposing the Bancorp to reputational harm, litigation, regulatory fines or penalties or losses not covered by insurance. In addition, any security compromise or information technology system disruptions in the financial services industry as a whole, whether actual or perceived, could interrupt the Bancorp's business or operations, harm its reputation, erode borrower confidence, negatively affect the Bancorp's ability to attract new members, or subject it to third-party lawsuits, regulatory fines or other action or liability, which could adversely affect Fifth Third's business and results of operations. The Bancorp could also be adversely affected if it loses access to information or services from a third-party service provider as a result of a security breach or system or operational failure, or disruption affecting the third-party service provider. Fifth Third's insurance may be inadequate to compensate for failures by, or affecting, third-party service providers upon which Fifth Third relies.

The FDIC maintains a Deposit Insurance Fund ("DIF") to protect insured depositors in the event of bank failures. The DIF is funded by fees assessed on insured depository institutions including the Bank. Future deposit premiums paid by the Bank depend on FDIC rules, which are subject to change, the level of the DIF and the magnitude and cost of future bank failures. As of June 30, 2020, the DIF reserve ratio fell to 1.30%, below the statutory minimum of 1.35%. In order to restore the DIF to its statutorily mandated minimums, the FDIC significantly increased deposit insurance premium rates, including the Bank's, resulting in increased expenses. The revised assessment rate schedules became effective January 1, 2023, and were applicable to the first quarterly assessment period of 2023. Additionally, in November 2023, the FDIC issued a final rule for a special deposit insurance assessment to recover the costs associated with protecting uninsured depositors following the bank failures that occurred in 2023. Subsequently, in 2024, the FDIC announced that it expects to incur additional losses related to these bank failures beyond its initial estimates, resulting in an increase to the amount of the special assessment allocated to each member bank. The Bancorp currently expects to pay the special assessment to the FDIC over a total of ten quarterly assessment periods, which began with the first quarter of 2024. The FDIC may further increase the assessment rates or impose additional special assessments in the future, which may require the Bank to pay significantly higher FDIC premiums.